On August 17, 2009 the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) again revised its data security regulations and delayed enforcement until March 1, 2010. According to OCABR, the new regulations are designed to make clear that companies should take a risk-based approach to data security. The new language requires security safeguards that are appropriate to the size, scope, and type of business handling the information, the resources available to the business, the amount of data stored, and the need for security and confidentiality of both consumer and employee information.
The revised regulations put the burden for data security compliance on businesses that “own or license” personal information about a resident of Massachusetts, and remove the direct regulation of businesses that merely “store or maintain” personal information. However, the regulations expressly obligate businesses that own or license personal information to oversee security provided by third party service providers by insuring that such third parties are capable of maintaining appropriate security measures in accordance with the regulations, and by requiring that such third parties contractually agree to implement and maintain appropriate security for personal information. However, service provider contracts entered into before March 1, 2010 will not need to comply with the requirements of the regulation until March 1, 2012.
Notably, the revised regulations also retain the controversial encryption requirement.
Copies of the revised regulation are available at www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.